how does database scoped credential work

Question

I understand how to create and why, but how does then underlying process work?
how does the second server know about the credentials created on the first server when using polybase.
Our security team want an explanation as we wish to connect an on prem SQL box to a third party Azure Database.

Answer 1

As far as I understand, SQL Server uses the stored credential when connecting to the other server. That is, the other server sees in it the connection string.

Thus, the credential is stored in the database. It is encrypted and protected by the database master key. The documentation says that if there is a SECRET, it is protected by the service master key, but I'm wondering if that is correct. That may be a holdover from CREATE CREDENTIAL which creates a server-scoped credential.

Answer 2

Hi，Colin Ferguson

Create database credentials through CREATE DATABASE SCOPED CREDENTIAL.

Database scoped credentials are stored in the system catalog of SQL Server and are stored in an encrypted manner.

When performing tasks, the PolyBase engine uses the credentials stored in the system to establish a connection with the external data source.

This is because the credentials are bound together with the external data source definition. Then create the external data source through CREATE EXTERNAL DATA SOURCE and specify the credentials just created.

Since the scoped credentials are stored in the system catalog of SQL Server, they can only be accessed with the appropriate permissions, ensuring the security of the credentials during transmission.

When creating an external data source, different database drivers support different encryption options. Refer to CREATE EXTERNAL DATA SOURCE CONNECTION_OPTIONS.

Best Regards,

Mikey Qiao

---

If you're satisfied with the answer, don't forget to "Accept it," as this will help others who have similar questions to yours.